Cyber criminals check into hotels

Hotels offer ample opportunity for cyberattacks in the wake of increasing credit card transactions at check-in, as well at hotel bars, restaurants and shops, cautions PwC’s Hospitality and Gaming Industry. “Each charge made at a spa, gift shop, bar or restaurant during the course of a guest’s stay is another opportunity for cyber theft,” says Nikki Forster, Hospitality Industry Leader for PwC, Southern Africa. “For business travellers, access to fast and low-cost internet is a must have. But these Wi- Fi connections are not always secure. And that is a security gap that cyber criminals are making use of,” adds Forster.

According to PwC’s recent 5th edition of the Hospitality Outlook 2015-2019, the security of guest information and operational technology has emerged as an enterprise-wide business risk for the hotel industry. These cyber risks are influenced by the growing strategic importance of technology and increased value of intangible assets, such as guest information, created and managed on hotel technology platforms.

Over the years hackers have been infiltrating hotel networks and have infected hotel-owned computers and guest computers with the aim of stealing personal and confidential information. Hotel networks have been attacked using mathematical techniques and crypto-analytical offensive capabilities. “This is usually done by hackers waiting for guests to check in and log on to the hotel Wi-Fi by usually submitting their room number and surname,” explains Veneta Eftychis, Senior Manager, PwC Hospitality and Gaming Industry. “Thereafter the hotel guest gets tricked into downloading and installing a so-called backdoor file, which pretends to be an update for legitimate software, such as the Google Toolbar or Adobe Flash.”

The unsuspecting guest downloads this hotel ‘welcome package’ only to infect his or her machine with spying software. Once on a network, the backdoor may be used further to download more advanced tools such as an advanced key logger. Downloaded software may also look for Twitter, Facebook and Google login credentials, as well as other private information.

Eftychis says that the activities of hackers have been so strategic in many circumstances that they even appear to have known the names, arrival and departure times, and room numbers of the targets in past attacks. After such attacks, the hackers delete their tools from the hotel network and go back into hiding.

An example of one of the most widespread attacks experienced in the industry has been committed by the so-called DarkHotel group, believed to have been active for the past four years, which targets high profile guests staying in hotels where there is free Wi-Fi that was assumed to be secure.

South Africa was also hit by a massive cyber fraud attack during 2012 and 2013 in which the payment card systems of thousands of shops, restaurants and hotels were compromised. The attackers used malware known as Dexter and were linked to a series of attacks on point-of-sale systems worldwide. The malware skimmed and transmitted credit cards’ magnetic-strip information, allowing clones to be made that were used for fraudulent purposes.

Eftychis says there are a number of safeguards that guests can put in place in order to mitigate the risks of attack. These include, amongst others, the keeping up to date of antivirus software before leaving home; avoiding updating software or clicking files when not on trusted networks; and using a virtual private network (VPN) to establish an encrypted communication channel when accessing public or semi-public Wi-Fi.

Furthermore, hotels should consider doing more to mitigate the risk, says Eftychis. For instance, they can implement the most up-to-date prevention and risk management practices. Hotels should also take into account intentional acts of theft by employees. For example, food and beverage servers can use small devices, easily hidden in a pocket, to swipe customer credit cards over an extended period of time and then sell the data.

Hotels can also define roles, responsibility and oversight of staff. Responsibility for data security may fall with within the domain of the chief information officer or chief security officer. Board oversights should also be considered. In addition a risk assessment should be conducted.

“The impact of a cyber attack can be far-reaching and devastating,” says Eftychis. Firstly, there is a financial impact when any type of computer security breach occurs. Costs can include forensic computer investigations to confirm the breach and identify whose information has been put at risk. Other costs include credit or identity protection services for affected individuals, and crisis management and PR specialists to help mitigate the potential fallout from breach event.

Secondly, breach of cyber security can also impact a company’s performance. Eftychis points out, recent breaches have been seen to have an impact on customer loyalty and store traffic, which has the potential to have a lasting impact on long-term profitability and share value.

Security breaches can also carry personal risk for hotel executives and board members. Attacks are drawing increased scrutiny from government regulators worldwide who want to ensure directors and officers are taking necessary steps to prevent breaches.

“Unfortunately cybercriminals are getting faster and more sophisticated – to stem the tide hotels also need to stay proactive and put a strategy and incident response plan in place. As part of the plan hotels should be aware of policies and processes relating to data breach, and educate staff on protocols,” concludes Eftychis.